Medibank could face multi-mIllion fine over the cyber attack

Medibank has confirmed that more stolen customer data has been released on the dark web, last Thursday amid reports the hackers have released all files remaining in their possession.

In a statement, Medibank is aware that stolen Medibank customer data has been released on the dark web last Thursday.

According to the statement, there are currently no signs that financial or banking data has been taken. And the personal data stolen, in itself, is not sufficient to enable identity and financial fraud. The raw data we have analysed today so far is incomplete and hard to understand.

Medibank CEO David Koczkar said while there are media reports of this being a signal of ‘case closed’, our work is not over.

“We are remaining vigilant and are doing everything we can to ensure our customers are supported. It’s important everyone stays vigilant to any suspicious activity online or over the phone,” he said.

Medibank advises that the other day the Office of the Australian Information Commission (OAIC) announced it has commenced an investigation into the personal information handling practices of Medibank in relation to the recent cybercrime. Medibank will continue to cooperate with the OAIC and its investigation.

Medibank notes media reports that Maurice Blackburn has lodged a representative complaint with the OAIC. Medibank is not aware of such a complaint being lodged with the OAIC, and it has not been notified by the OAIC or Maurice Blackburn that this has occurred.

Medibank has received a letter from Maurice Blackburn which stated that they intend to file a representative complaint with the OAIC and ask Medibank to respond. Medibank is currently considering Maurice Blackburn’s letter and intends to respond in the time requested.

Meanwhile, the Australian Institute of Criminology (AIC) has released a report which examines the prevalence of data breaches among Australian computer users and the relationship between data breaches and other forms of cybercrime victimisation.

This study draws on data collected in a national survey conducted in mid-2021. The report found that almost one in 10 respondents said they were notified their information was exposed in a data breach in the 12 months prior to the survey.

AIC Deputy Director Dr Rick Brown said survey respondents who had been notified of a data breach were 34% more likely than other respondents to have been a victim of identity crime in the 12 months prior to the survey.

“There were higher rates of identity theft, online scams, fraud and ransomware attacks when comparing the difference in cybercrime victimisation between those who had and had not been the victim of a data breach.  

“The findings demonstrate that it essential we protect individuals who have been exposed in a data breach from other potentially related cybercrimes, and this should be prioritised when data breaches occur,” Dr Brown said.

The most common signs of being a victim of identity theft were:

• being told by a bank their identity had been stolen or their account was misused

• finding unauthorised activity on their credit card

• getting calls about unpaid bills

• finding suspicious transactions on their bank statement

• being unable to apply for credit

• missing or strange bills.

These were all more likely to happen to respondents who had been notified their information was also exposed in a data breach.

“In light of recent major data breaches in Australia, this research should help policymakers and law enforcement partners develop strategies to respond to data breaches and protect victims from repeat victimisation,” Dr Brown said.

All Medibank customers are advised to remain hyper-vigilant of scams via SMS, phone and email.

They're urged to not pay any ransom or engage with any scammer claiming to have their information.

Instead, they should be reported to Scamwatch.gov.au